CSO-002 Part 2 Flashcards
A large software company wants to move its source control and deployment pipelines into a cloud-computing environment. Due to the nature of the business, management determines the recovery time objective needs to be within one hour. Which of the following strategies would put the company in the BEST position to achieve the desired recovery time?
A. Establish an alternate site with active replication to other regions
B. Configure a duplicate environment in the same region and load balance between both instances
C. Set up every cloud component with duplicated copies and auto-scaling turned on
D. Create a duplicate copy on premises that can be used for failover in a disaster situation
A. Establish an alternate site with active replication to other regions
A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one that:
A. enables remote code execution that is being exploited in the wild
B. enables data leakage but is not known to be in the environment
C. enables lateral movement and was reported as a proof of concept
D. affected the organization in the past but was probably contained and eradicated
A. enables remote code execution that is being exploited in the wild
A companyג€™s incident response team is handling a threat that was identified on the network. Security analysts have determined a web server is making multiple connections from TCP port 445 outbound to servers inside its subnet as well as at remote sites. Which of the following is the MOST appropriate next step in the incident response plan?
A. Quarantine the web server
B. Deploy virtual firewalls
C. Capture a forensic image of the memory and disk
D. Enable web server containerization
A. Quarantine the web server
During an incident, a cybersecurity analyst found several entries in the web server logs that are related to an IP with a bad reputation. Which of the following would cause the analyst to further review the incident?
A. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /etc/passwdג€ 403 1023
B. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /index.html?src=../.ssh/id_rsaג€ 401 17044
C. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /a.php?src=/etc/passwdג€ 403 11056
D. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /a.php?src=../../.ssh/id_rsaג€ 200 15036
E. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /favicon.ico?src=../usr/share/iconsג€ 200 19064
D. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /a.php?src=../../.ssh/id_rsaג€ 200 15036
A developer wrote a script to make names and other PII data unidentifiable before loading a database export into the testing system. Which of the following describes the type of control that is being used?
A. Data encoding
B. Data masking
C. Data loss prevention
D. Data classification
B. Data masking
Which of the following attacks can be prevented by using output encoding?
A. Server-side request forgery B. Cross-site scripting C. SQL injection D. Command injection E. Cross-site request forgery F. Directory traversal
B. Cross-site scripting
The help desk provided a security analyst with a screenshot of a userג€™s desktop:
For which of the following is aircrack-ng being used?
A. Wireless access point discovery
B. Rainbow attack
C. Brute-force attack
D. PCAP data collection
C. Brute-force attack
A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst to provide to the security manager, who would then communicate the risk factors to senior management? (Choose two.)
A. Probability B. Adversary capability C. Attack vector D. Impact E. Classification F. Indicators of compromise
A. Probability
D. Impact
A security analyst has been alerted to several emails that show evidence an employee is planning malicious activities that involve employee PII on the network before leaving the organization. The security analystג€™s BEST response would be to coordinate with the legal department and:
A. the public relations department
B. senior leadership
C. law enforcement
D. the human resources department
D. the human resources department
While preparing for an audit of information security controls in the environment, an analyst outlines a framework control that has the following requirements:
✑ All sensitive data must be classified.
✑ All sensitive data must be purged on a quarterly basis.
✑ Certificates of disposal must remain on file for at least three years.
This framework control is MOST likely classified as:
A. prescriptive
B. risk-based
C. preventive
D. corrective
A. prescriptive
An analyst performs a routine scan of a host using Nmap and receives the following output:
Port 22/23/80 are open
Which of the following should the analyst investigate FIRST? A. Port 21 B. Port 22 C. Port 23 D. Port 80
C. Port 23
A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability scan for a long period of time. The vulnerabilities are on systems that are dedicated to the firmג€™s largest client. Which of the following is MOST likely inhibiting the remediation efforts?
A. The parties have an MOU between them that could prevent shutting down the systems
B. There is a potential disruption of the vendor-client relationship
C. Patches for the vulnerabilities have not been fully tested by the software vendor
D. There is an SLA with the client that allows very little downtime
D. There is an SLA with the client that allows very little downtime
A security analyst gathered forensics from a recent intrusion in preparation for legal proceedings. The analyst used EnCase to gather the digital forensics, cloned the hard drive, and took the hard drive home for further analysis. Which of the following did the security analyst violate?
A. Cloning procedures
B. Chain of custody
C. Hashing procedures
D. Virtualization
B. Chain of custody
A threat feed notes malicious actors have been infiltrating companies and exfiltrating data to a specific set of domains. Management at an organization wants to know if it is a victim. Which of the following should the security analyst recommend to identify this behavior without alerting any potential malicious actors?
A. Create an IPS rule to block these domains and trigger an alert within the SIEM tool when these domains are requested.
B. Add the domains to a DNS sinkhole and create an alert in the SIEM tool when the domains are queried
C. Look up the IP addresses for these domains and search firewall logs for any traffic being sent to those IPs over port 443
D. Query DNS logs with a SIEM tool for any hosts requesting the malicious domains and create alerts based on this information
B. Add the domains to a DNS sinkhole and create an alert in the SIEM tool when the domains are queried
A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful. Which of the following should the security analyst perform NEXT?
A. Begin blocking all IP addresses within that subnet
B. Determine the attack vector and total attack surface
C. Begin a kill chain analysis to determine the impact
D. Conduct threat research on the IP addresses
D. Conduct threat research on the IP addresses
Which of the following is the MOST important objective of a post-incident review?
A. Capture lessons learned and improve incident response processes
B. Develop a process for containment and continue improvement efforts
C. Identify new technologies and strategies to remediate
D. Identify a new management strategy
A. Capture lessons learned and improve incident response processes
An organization was alerted to a possible compromise after its proprietary data was found for sale on the Internet. An analyst is reviewing the logs from the next- generation UTM in an attempt to find evidence of this breach. Given the following output:
Which of the following should be the focus of the investigation?
A. webserver.org-dmz.org
B. sftp.org-dmz.org
C. 83hht23.org-int.org
D. ftps.bluemed.net
A. webserver.org-dmz.org
A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale for integrating intelligence into hunt operations?
A. It enables the team to prioritize the focus areas and tactics within the companyג€™s environment
B. It provides criticality analyses for key enterprise servers and services
C. It allows analysts to receive routine updates on newly discovered software vulnerabilities
D. It supports rapid response and recovery during and following an incident
A. It enables the team to prioritize the focus areas and tactics within the companyג€™s environment
A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:
Which of the following commands should the administrator run NEXT to further analyze the compromised system?
A. strace /proc/1301
B. rpm ג€”V openssh-server
C. /bin/ls ג€”l /proc/1301/exe
D. kill -9 1301
A. strace /proc/1301
A security analyst is reviewing the following log entries to identify anomalous activity:
Which of the following attack types is occurring?
A. Directory traversal
B. SQL injection
C. Buffer overflow
D. Cross-site scripting
A. Directory traversal
A web-based front end for a business intelligence application uses pass-through authentication to authenticate users. The application then uses a service account to perform queries and look up data in a database. A security analyst discovers employees are accessing data sets they have not been authorized to use. Which of the following will fix the cause of the issue?
A. Change the security model to force the users to access the database as themselves
B. Parameterize queries to prevent unauthorized SQL queries against the database
C. Configure database security logging using syslog or a SIEM
D. Enforce unique session IDs so users do not get a reused session ID
A. Change the security model to force the users to access the database as themselves
A companyג€™s Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized userג€™s activity session. Which of the following is the BEST technique to address the CISOג€™s concerns?
A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes.
B. Regularly use SHA-256 to hash the directory containing the sensitive information. Monitor the files for unauthorized changes.
C. Place a legal hold on the files. Require authorized users to abide by a strict time context access policy. Monitor the files for unauthorized changes.
D. Use Wireshark to scan all traffic to and from the directory. Monitor the files for unauthorized changes.
A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes.
Which of the following secure coding techniques can be used to prevent cross-site request forgery attacks?
A. Input validation
B. Output encoding
C. Parameterized queries
D. Tokenization
D. Tokenization
A security analyst scanned an internal company subnet and discovered a host with the following Nmap output.
Based on the output of this Nmap scan, which of the following should the analyst investigate FIRST?
A. Port 22
B. Port 135
C. Port 445
D. Port 3389
A. Port 22
Which of the following technologies can be used to store digital certificates and is typically used in high-security implementations where integrity is paramount?
A. HSM
B. eFuse
C. UEFI
D. Self-encrypting drive
A. HSM
A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability. Company policy prohibits using portable media or mobile storage. The security analyst is trying to determine which user caused the malware to get onto the system. Which of the following registry keys would MOST likely have this information?
A. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
C. HKEY_USERS\Software\Microsoft\Windows\explorer\MountPoints2
D. HKEY_USERS\Software\Microsoft\Internet Explorer\Typed URLs
E. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\iusb3hub
E. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\iusb3hub
Clients are unable to access a companyג€™s API to obtain pricing data. An analyst discovers sources other than clients are scraping the API for data, which is causing the servers to exceed available resources. Which of the following would be BEST to protect the availability of the APIs?
A. IP whitelisting
B. Certificate-based authentication
C. Virtual private network
D. Web application firewall
D. Web application firewall
A security analyst recently discovered two unauthorized hosts on the campusג€™s wireless network segment from a man-in-the-middle attack. The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices. Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?
A. Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network
B. Change the SSID, strengthen the passcode, and implement MAC filtering on the wireless router
C. Enable MAC filtering on the wireless router and create a whitelist that allows devices on the network
D. Conduct a wireless survey to determine if the wireless strength needs to be reduced
A. Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network
Given the Nmap request below:
Which of the following actions will an attacker be able to initiate directly against this host?
A. Password sniffing
B. ARP spoofing
C. A brute-force attack
D. An SQL injection
C. A brute-force attack
As part of an organizationג€™s information security governance process, a Chief Information Security Officer (CISO) is working with the compliance officer to update policies to include statements related to new regulatory and legal requirements. Which of the following should be done to BEST ensure all employees are appropriately aware of changes to the policies?
A. Conduct a risk assessment based on the controls defined in the newly revised policies
B. Require all employees to attend updated security awareness training and sign an acknowledgement
C. Post the policies on the organizationג€™s intranet and provide copies of any revised policies to all active vendors
D. Distribute revised copies of policies to employees and obtain a signed acknowledgement from them
B. Require all employees to attend updated security awareness training and sign an acknowledgement
During an investigation, an analyst discovers the following rule in an executiveג€™s email client:
IF * TO THEN mailto:
SELECT FROM ג€˜sentג€™ THEN DELETE FROM
The executive is not aware of this rule. Which of the following should the analyst do FIRST to evaluate the potential impact of this security incident?
A. Check the server logs to evaluate which emails were sent to
B. Use the SIEM to correlate logging events from the email server and the domain server
C. Remove the rule from the email client and change the password
D. Recommend that management implement SPF and DKIM
A. Check the server logs to evaluate which emails were sent to
A critical server was compromised by malware, and all functionality was lost. Backups of this server were taken; however, management believes a logic bomb may have been injected by a rootkit. Which of the following should a security analyst perform to restore functionality quickly?
A. Work backward, restoring each backup until the server is clean
B. Restore the previous backup and scan with a live boot anti-malware scanner
C. Stand up a new server and restore critical data from backups
D. Offload the critical data to a new server and continue operations
C. Stand up a new server and restore critical data from backups
An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any, passwords are being used. Which of the following commands should the analyst use?
A. tcpdump ג€”X dst port 21
B. ftp ftp.server ג€”p 21
C. nmap ג€”o ftp.server ג€”p 21
D. telnet ftp.server 21
A. tcpdump ג€”X dst port 21
An incident response team is responding to a breach of multiple systems that contain PII and PHI. Disclosing the incident to external entities should be based on:
A. the responderג€™s discretion
B. the public relations policy
C. the communication plan
D. senior managementג€™s guidance
C. the communication plan
A security is responding to an incident on a web server on the company network that is making a large number of outbound requests over DNS. Which of the following is the FIRST step the analyst should take to evaluate this potential indicator of compromise?
A. Run an anti-malware scan on the system to detect and eradicate the current threat
B. Start a network capture on the system to look into the DNS requests to validate command and control traffic
C. Shut down the system to prevent further degradation of the company network
D. Reimage the machine to remove the threat completely and get back to a normal running state
E. Isolate the system on the network to ensure it cannot access other systems while evaluation is underway
B. Start a network capture on the system to look into the DNS requests to validate command and control traffic
A security analyst needs to assess the web server versions on a list of hosts to determine which are running a vulnerable version of the software and output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt. Which of the following Nmap commands would
BEST accomplish this goal?
A. nmap -iL webserverlist.txt -sC -p 443 -oX webserverlist.xml
B. nmap -iL webserverlist.txt -sV -p 443 -oX webserverlist.xml
C. nmap -iL webserverlist.txt -F -p 443 -oX webserverlist.xml
D. nmap –takefile webserverlist.txt –outputfileasXML webserverlist.xml ג€”scanports 443
B. nmap -iL webserverlist.txt -sV -p 443 -oX webserverlist.xml
-sV is for version detection
Which of the following session management techniques will help to prevent a session identifier from being stolen via an XSS attack?
A. Ensuring the session identifier length is sufficient
B. Creating proper session identifier entropy
C. Applying a secure attribute on session cookies
D. Utilizing transport layer encryption on all requests
E. Implementing session cookies with the HttpOnly flag
B. Creating proper session identifier entropy